HIPAA, as a regulatory framework, imposes strict compliance standards on entities that handle health records. However, credit cards are exempted on the premise that credit card processing services deal exclusively with payment information and do not involve the storage, handling, or transmission of health records or ePHI.
This is stated in 42 USC §1320d-8, which says “to the extent that an entity is engaged in activities of a financial institution or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part [the HIPAA Administrative Simplification Regulations] and any standard adopted under this part, shall not apply to the entity with respect to such activities.”
For healthcare organizations, the HIPAA credit card exemption means they must maintain a clear separation between their health information handling and financial transactions, including credit card processing. Healthcare providers should not use credit card processing services to store or manage health records, as this would go against the terms of those services.
Despite the credit card exemption, healthcare organizations must still adhere to strict HIPAA regulations when it comes to protecting ePHI. HIPAA compliance remains a top priority when handling sensitive patient data, even if it is not directly related to credit card payments.
Since credit card processors are exempt from HIPAA, healthcare organizations are not required to sign business associate agreements with these service providers. This distinction simplifies the contractual relationships between healthcare organizations and their payment-processing partners.
Read also: What is a business associate agreement?
While the credit card payment service itself may not be subject to HIPAA, healthcare organizations and professionals must still exercise diligence in maintaining a clear separation between financial transactions and the handling of health records.
Healthcare organizations must maintain a clear distinction between financial transactions and health records. They should never use credit card payment services to store or manage ePHI.
Healthcare professionals must understand the limitations of credit card payment services and the importance of keeping health information separate from financial transactions.
Healthcare organizations must adhere to the terms and conditions set by their credit card payment service providers. These terms typically stipulate that the services should not be used for storing or handling health records. Violating these terms can lead to non-compliance.
Even though credit card payment services are not subject to HIPAA, healthcare organizations should still maintain strong data security practices.
If healthcare organizations need to exchange ePHI via email, they should use a HIPAA compliant email service that ensures the secure transmission and storage of sensitive health information.
Learn more: HIPAA Compliant Email: The Definitive Guide
While the HIPAA credit card exemption is generally applicable, there are some scenarios where exceptions may arise.
If a healthcare organization uses a self-developed online payment portal to transmit ePHI to a payment processor via a third-party service, the exemption may not apply. In such cases, the healthcare organization must ensure that the third-party service provider complies with HIPAA regulations.
Similarly, if a healthcare provider is forced to use a third-party's point-of-sale (POS) terminal, any disclosure of ePHI to the third party must be protected under HIPAA.
In some cases, an entity providing payment processing services on behalf of a financial institution may also offer secondary services, such as invoicing or billing, to the healthcare organization. In these instances, the payment processor may be considered a business associate and a business associate agreement (BAA) must be in place.
Related: Guide to online payment options & HIPAA compliance
The key players are the cardholder (patient), the credit card issuer (bank or credit union), the merchant (healthcare provider), credit card brands (Visa, MasterCard, etc.), and the credit card network that facilitates the transactions.
The process begins with the patient swiping or dipping their card at the provider’s location. The transaction details are sent to the payment processor, which forwards the request to the card network and issuer. The issuer approves or declines the transaction, and the approval is relayed back to the provider.
Healthcare providers must choose processors that adhere to PCI DSS to protect patient payment information from unauthorized access. This compliance, combined with HIPAA, helps prevent cybercriminal activity.
Generally, no. When a processor handles financial transactions, it does not perform a HIPAA-covered function for the provider. However, if the processor also provides practice management or medical billing services, it becomes a business associate and must comply with HIPAA safeguards.